Posted
by
samzenpus
on Friday November 09, 2012 @05:36AM
from the looking-at-plastic dept.

First time accepted submitter pev writes "A new credit card released in Singapore includes a screen and keyboard in order to generate one-time passwords for your online banking. From the article: 'The card has touch-sensitive buttons and the ability to create a "one-time password" - doing away with the need for a separate device sometimes needed to log in to online banking. Future versions of the card could display added information such as the remaining balance.' Lets hope they've put more thought into the implementation than with chip and pin."

No, they're to prevent the used of the information on the card without the card itself. These basically replace the CVV on the back of the card for determining that the user actually has it in their possession.

It's not required in order to make the transaction (nor, technically, is anything other than the account number; however, your interchange costs increase and your ability to fight chargebacks decrease by providing less information).

Actually, that's simply because it's against PCI regulation to store the CVN.

Most companies don't realize that asking for it on subsequent transactions is pointless so long as you ask for it the first time: you can still prove (with reasonable certainty) the customer had the card in-hand at some point; i.e. it wasn't bought from a Russian warez site.

In practice that's not true at all, but since when do theory and practice ever overlap?

There are tighter rules concerning the CVV. Merchants are never allowed to store, and don't need it to process refunds or continuing payments. Possibly it's not on the swipe, either, I'm not sure. So you could obtain the 16 digits from a stolen merchant database/backup or a sneaky swipe under the table, but not the CVV. That's the theory, anyway. It's never seemed like the strongest security measure on earth....

Magnetic strip data contains different information than what's read off the card; it effectively replaces the CVN for swiped card-present transactions. The issuing bank goes through a different (though functionally equivalent) routine to authorize the payment when they're sent PAN/CVN/exp instead of the raw track data.

Yes, because you can't enter it if you've never seen the card. The CVV was introduced when machines still physically imprinted receipts and prior to the laws banning the display of more than 4 or 5 digits of the number on any printed receipt. It isn't embossed, it's not on the front in the cases where an image is taken of the card, and any merchant found to be storing the code has their payment contract invalidated.

It was to combat the relative ease with which people could gather the name, number, and expir

What they did here is integrate a secure terminal like this one [bayimg.com] directly on the card.

These terminals are used for online banking. Every time you log in, you receive a different challenge. You then insert the card into the terminal and enter both the pin and the challenge and get the response back. Then you enter the response in the browser.

The goal of the system is to provide two-factors authentication. You need both something you have (the card) and something you know (the PIN).

The reason you need a secure terminal is that typing the PIN directly on the computer would allow a keylogger to steal it.

Indeed. PostFinance (a bank in Switzerland where I have an account as I'm a grad student there) has those exact same terminals. It's pretty slick.

Only disadvantage: they only allow one card to be linked to one's account for online access, even if it's a joint account. In my case, my wife has access to it because she does most of the financial stuff, but it's annoying. Naturally, we both have bank cards and can access the account via ATMs and the like, but only her card can be used for logging into the websi

Yes: we used to use RSA cards with numeric pads to do mutual authentication at (the late, lamented) Sun Microsystems. This is basically the minimum functionality one needs to be able to do financial transactions without having to maintain (and pay out!) huge reserves against fraud.

I saw these (or a similar type) last year here in Belgium when I was part of a test panel/opinion group.

Basically it was all possible types of payment systems thrown together in one card.

It had the debit card system we have here (Maestro / Bancontact), but at the same time you could use it as a credit card too (Visa / Mastercard). Most people in the group found this a good idea as all had multiple cards in their wallet.

As you can see it has the keypad type thing for extra authentication on the internet so you don't need an extra device for it. Nice, but less useful. Not everyone had a need for it, and we didn't get technical details about how secure it was or how it worked.

It also had some kind of contact-less system we don't have yet in Belgium but they said it was used in France. Small payments you could just make by holding your card above a reader, no need to enter a pin. As we don't know this, most found it insecure.

It also wasn't known if you could deactivate certain things or always had all features - like only use the debit/credit card combination but not the touchless thing.

I remember one disadvantage: the 'buttons' you had to push to generate the nr were difficult to operate. Had to push hard in exactly the right spot. Don't think elderly people could get along with it.

Technically I was impressed with this card for having battery electronics and lcd in it, as it was very thin and still flexible.

The problem is that this is just for on specific card. An open standard would really be nice so that you didn't need to carry multiple cards, but the card companies consider that against their interests. Something like Google Authenticator on a smartphone would also be a nice solution.

No personal checks in Sweden, so all person-to-person transfers are done in cash. However, banks won't take huge piles of money... say anything over €500... so all of the those transfers are done electronically. When I sold my used bike, we met and did the transfer electronically at a cafe via mobile phones. The biggest difference was that you had to the put the credit card into a device that looks like a calculator and enter a number from the banking website into the card-inserted device. The number returned is that entered into the web to authenticate the transfer. This just does it all on one credit card, which is GREAT.

it's called CAP, Chip Authentication Programme [wikipedia.org]. I was the designer of the system that used by a big UK bank. It requires a self powered sleeve reader (that looks alike a calulator) and it's an open standard so that all EMV cards can use any branded reader device (they don't tell you that). Some of the readers have a "MENU" button and you can read off the transaction counter etc on your card. A handy way to tell if someone close has been using the card while you're not looking. if you do muck around with your card, be careful. I changed my PIN to be 6 digits on some test gear and ended up having to get a new bank card because the UK ATM network is hard coded to 4 digits. EMV cards support 6 digits.

"No personal checks in Sweden, so all person-to-person transfers are done in cash"

Did they get rid of cheques or did they never have them? I always thought sweden was an advanced country , but it doesn't sound like it. Personal cheques are damn useful in situations where electronic banking can be a PITA and cash isn't feasible - eg paying a builder.

and all of that technology would have been useless in the past week here in the northeast. No electric = nightmare for cashless society. Even the places with electric were having trouble processing credit cards.

It's a shame the Swedish government mandated that all retailers that accept payments must have a 'black box' that tracks payments for the government. I develop software for (among others) the Swedish market. In Soviet Sweden my life is a pain in the arse!

Also, in Stockholm, I never saw a builder without a mobile phone? I never saw anyone with a mobile phone. And, don't say that the "government just wants it piece of the cake by not allowing cash." I like it because it really keeps things on the "up-and-up" as all personal tax records are publicly available.

You give him/her 400SEK in cash (€40) or he gives you an invoice with his/her banking info and you just transfer it. He'll just email/SMS you the invoice. Pretty simple. We ran into significant problems trying to deposit 25000SEK (€2500) in cash into an account after selling a few items. The police became involved because they thought it might be part of a money laundering scheme (the money can't be tracked once it's in the open.)

You could hand him cash - they still have that, they just don't have that out-dated form of transferring money. I can't see the benefit of cheques.

* You still need a bank account, so they're still traceable, ie. You can't use them for hiding funds, unless you take them to some dodgy cheque cashing place, which will take a percentage. I suppose you bank off-shore, but the issuer will still be able to determine where the money has gone.* They take longer to clear, as the bank has to verify the issuer that the

It's really not that hard to log in and transfer the money. And you'll never run out of transfers, they can't be lost and you don't force the person receiving the transfer to have to go to the bank or scan in a check to get their money. It's not as hard as you're making it out to be and there are benefits.

Handing him the cheque isn't the completion of the transaction though. He then has to appear at the bank in person to deposit it and then there's a few days for it to clear while if you did it electronically, the transaction will actually be complete.

I'm sorry, did you just say the police got involved because you had to deposit a measly couple thou in cash?? That one thing pretty much negates any other advantage the Swedish system may have. No offense, but that's just insane.

Why are cheques so much more secure? They can still bounce, or I could call up the bank and ask them to cancel my chequebook, and still write them out. Sure, it's fraudulent, but if I'm willing not to pay somebody, the I probably don't care about upsetting some lawn care guy.

... or an insignificant matter of money (although don't necessarily have that money cause you didn't stop at the bank) how do you pay some one?

Easy, I log onto internet banking and queue the transfer for tomorrow. If you're relying on the cheque clearing delay as a free overdraft, I think you've got bigger worries.

Everyone in Sweden and all of Northern Europe does it this way. Germany is totally different and requires cash much more often, even moreso that the US. After living in Sweden, Germany and the US... I can wholeheartedly say that Swedish system is the easiest, quickest and best. With a mobile phone and the bank's App, a transfer takes less than 1 minute and is complete... try doing that with a check/cheque... talk about archaic... it's worse than cash.

If by northern europe you don't include the UK, ireland or france then sure. If you mean just scandinavia then maybe , but scandinavia != the world and a lot of people in the rest of the world (myself included) find cheques quick and simple. I've done electronic payments for many things including my house and car and they are somewhat more hassle than just writing a cheque and handing it over.

Cash is anonymous. Rather useful if you want to avoid tax. And yes I have used it for that and no I don't give a damn if you disapprove so save your breath.

Ah, we've now got to the nub of it. I was wondering who would seriously trust a piece of handwritten paper that hopefully will be worth the money. As far as I can see, the people that want to keep cheques going are exactly the one you should never trust a cheque from.

Seeing as you seem to mention builders and workmen a lot, it would appear that you work in the building trade - there's a surprise - always looking for a loophole and a shortcut.

But in countries with ubiquitous electronic banking, he WOULD have a computer or card reader. It'd be a fundamental tool of the job, without which he simply couldn't run his business. They're not exactly expensive these days, especially the ones that just attach to an existing mobile phone. Your builder probably spent more on his last new hammer.

>Did they get rid of cheques or did they never have them?
In the UK they want to get rid of them and they were due to be phased out but got a last minute reprieve. They're old tech but no solution for sending gifts if you're a granny etc have been found yet.

Can't speak for Sweden, but honestly I'm surprised there are still places that have any measurable use of paper cheques still. I'm in my 30s and have never had a cheque account. Never written a cheque. Never received one. Hell, never even seen one other than vague recollections of my parents using them in the 80s when I was a kid.

I'm in Australia and while they technically haven't abolished cheques here, virtually no one uses them. The need for them vanished due to the invention (and more importantly standa

It's been a good 20 years since I've used a device like that for authentication. Maybe 19. Used it to log into telco switches. The token generator was a little device about the size of a small calculator, securely attached to a desk next to a laminated sheet of paper (taped to the desk) with step by step authentication instructions including username/password. The desk was in a secluded corner right next to an unlocked door that opened onto the building's loading dock.:facepalms:

Why would I want to carry one of these gadgets around when I already have a smartphone which can do the same job?

You answered this question in your first paragraph. A mobile phone application runs on a general purpose OS (which, unless its an iPhone or a Google-branded Android phone, probably has a load of old and buggy libraries and kernel because your carrier doesn't push out updates sufficiently competently). Even if the app itself is perfectly written, the TCB contains a whole load of other stuff that really shouldn't be trusted - you install one malicious app by mistake (or visit one malicious web page with a b

The device as described sounds to me exactly like an app on a smartphone

A smartphone would be useless here. The key here is something you have (the card) and something you know (the pin). The device, whether built into the card or separate, and the PIN leads to creating the OTP. Maybe I'm just dense, but I don't see how a smartphone (w/o a card reader) would be any use here.

Actually, the whole point is to make sure the person making the transaction is authorized to make the transaction. "Card possession" is merely the mechanism used to accomplish that end. Theft and abuse have made it so that mere possession of the card is no longer sufficient to ensure that authority. The CVV number is an attempt to further ensure that the card possessor is the authorized user.

A smartphone app could be more secure. You've got the link from your phone to your bank under your control, a

Sorry. Clumsy wording on my part. The card company equates possessing the card with being authorized to use the card. The CVV ensures that whoever is making the transaction has the card (and thus is authorized to use it).

Is it? I don't see what's surprising here. The expensive device with more functionality has got the better input system. The cheap device that's distributed "freely" by banks to all their customers has the crappy input device that works less well but is significantly cheaper.

This is against the banks interest. In Australia, the banks actually MAKE money out of fraud by overcharging and charge-backs to the merchant.Only because the law says owner up to the first $50, the bank wears the cost for any fraud. So it is a no brainer to send a 50 cent mag stripe card, than an expensive unit that may actually harm their business model. Camera's and SMS messaging do the job nicely.

Years ago, patents for laser stripe cards - replace mag strip with dvd like material, or high resolution mag

I'm not sure about the one in TFA, but one of the big differences in the prototype that I saw was that it used eInk instead of a traditional LCD for the display. This means that the battery life is a whole lot better. That, combined with improvements in battery technology means that it's possible to create one that will last for longer than the lifetime of a credit card and be able to create cryptographic tokens for this entire time. Oh, and I think you're misremembering the thickness of the 'credit card

This is slightly offtopic, but I want to promote the use of two-factor authentication. I just ordered a Yubikey for $25. It reportedly is supported by gmail, fastmail, lastpass among others:
http://www.yubico.com/ [yubico.com]

Basically we have "news" of a product by SmartDisplayer [smartdisplayer.com.tw], that they have been producing for the last 7 years, already implemented by some 30 banks, used by Visa in some markets, which I have been using with the in-house TOATH authentication systems for the last four years. So where's the news? Slow news day?

I'm not too worried about online. It seems to me that this technology would be far more useful for securing face-to-face transactions. Every time you hand your card over to a cashier or a waiter, you give them nearly unrestricted access to your account. If you just gave them a one-time password, that would be a huge increase in security.

MasterCard were demo'ing this in the late 1980s under the name "Super Smart Card". The only difference was that back then the cards were gold-coloured, not silver as in the BBC photo. Since then this has been retried a number of times by different manufacturers, failing each time. So I wouldn't hold out much hope for this one succeeding. OTOH wait a few years and there'll be another press release from another vendor about it.